Insecure Random Number Generator in Progress DataDirect Connect for ODBC with Oracle Advanced Security Encryption
CVE-2023-34363

5.9MEDIUM

Key Information:

Vendor
Progress
Status
Datadirect Odbc Oracle Wire Protocol Driver
Vendor
CVE Published:
9 June 2023

Summary

An issue has been identified in Progress DataDirect Connect for ODBC prior to version 08.02.2770 when utilizing Oracle Advanced Security (OAS) encryption. If an error occurs during the initialization of the encryption object, the system defaults to a less secure encryption mechanism that employs a flawed random number generator for key generation. This vulnerability exposes the potential for attackers to anticipate and predict the private key, thereby compromising the ability to securely encrypt data transmitted between the driver and the database server. This flaw is not present when using SSL/TLS encryption.

References

https://progress.com
https://community.progress.com/s/article/Security-vulnera...

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2023-34363 : Insecure Random Number Generator in Progress DataDirect Connect for ODBC with Oracle Advanced Security Encryption | SecurityVulnerability.io